LockBit Ransomware Attacks Exploit ScreenConnect Servers Vulnerability

February 22, 2024

Attackers are exploiting an authentication bypass vulnerability, CVE-2024-1709, in unpatched ScreenConnect servers to launch LockBit ransomware attacks on compromised networks. This severe vulnerability has been actively exploited since a day after ConnectWise released security updates and cybersecurity companies posted proof-of-concept exploits. ConnectWise also addressed another high-severity path traversal vulnerability, CVE-2024-1708, which can only be exploited by threat actors with high privileges. Both these vulnerabilities affect all ScreenConnect versions, leading the company to remove all license restrictions allowing customers with expired licenses to upgrade to the latest software version and protect their servers from attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1709 to its Known Exploited Vulnerabilities Catalog, mandating U.S. federal agencies to secure their servers within a week by February 29. Currently, over 8,659 ScreenConnect servers are being tracked by Shodan, with only 980 running the patched ScreenConnect 23.9.8 version.

Sophos X-Ops disclosed that threat actors have been using these two ScreenConnect vulnerabilities to deploy LockBit ransomware on victims' systems. They stated, "In the last 24 hours, we've observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)." They also noted that despite the law enforcement operation against LockBit, some affiliates are still operational.

Cybersecurity firm Huntress confirmed these findings, revealing that a local government entity, including systems likely linked to their 911 Systems, and a healthcare clinic have also been targeted by LockBit ransomware attackers exploiting the CVE-2024-1709 vulnerability. "We can confirm that the malware being deployed is associated with Lockbit," stated Huntress.

LockBit ransomware's infrastructure was seized earlier this week as part of a global law enforcement operation, Operation Cronos, led by the U.K.'s National Crime Agency (NCA). During this operation, several LockBit affiliates were arrested in Poland and Ukraine, while French and U.S. authorities issued arrest warrants and indictments against other LockBit threat actors. Despite this, LockBit continues to claim attacks on large-scale and government organizations worldwide. The U.S. State Department is now offering rewards of up to $15 million for information about LockBit ransomware gang members and their associates.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.